diff mbox series

[scarthgap] go: split CVE-2025-61726 regression fix

Message ID 20260528011239.528751-1-hjadon@cisco.com
State New
Headers show
Series [scarthgap] go: split CVE-2025-61726 regression fix | expand

Commit Message

Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco) May 28, 2026, 1:12 a.m. UTC 
From: Himanshu Jadon <hjadon@cisco.com>

Restore the originally submitted CVE backport and carry the ordering
correction fix separately for internal/godebugs.All as a separate
regression patch. This keeps the security backport easier to audit and
makes the follow-up fix explicit.

The ordering issue was introduced when the existing backport patch was
modified by commit [1]. The same change also dropped zipinsecurepath
from the patch hunk context. Restore the original hunk context and keep
the ordering correction as a separate follow-up patch.

Keep the regression patch immediately after CVE-2025-61726.patch in
SRC_URI because it is a direct fixup for that patch in the same file and
hunk area. This is safe because no later Go patch in the current stack
modifies src/internal/godebugs/table.go, so placing the fixup here makes
the dependency explicit without interfering with later validated patches.

[1] https://git.openembedded.org/openembedded-core/commit/?id=b670b11ff4845b64f861041681ace9c21db16eed

Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |  1 +
 .../go/go/CVE-2025-61726-regression.patch     | 49 +++++++++++++++++++
 .../go/go/CVE-2025-61726.patch                | 21 ++++----
 3 files changed, 60 insertions(+), 11 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61726-regression.patch
diff mbox series

Patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 3fa421e223..c095e54fbb 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -33,6 +33,7 @@  SRC_URI += "\
     file://CVE-2025-61729.patch \
     file://CVE-2025-61730.patch \
     file://CVE-2025-61726.patch \
+    file://CVE-2025-61726-regression.patch \
     file://CVE-2025-61728.patch \
     file://CVE-2025-61731.patch \
     file://CVE-2025-68119-dependent.patch \
diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726-regression.patch b/meta/recipes-devtools/go/go/CVE-2025-61726-regression.patch
new file mode 100644
index 0000000000..bb2b5ac439
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-61726-regression.patch
@@ -0,0 +1,49 @@ 
+From a92d36cef2c1838e58dd1ec51bd147bd94e916fc Mon Sep 17 00:00:00 2001
+From: Himanshu Jadon <hjadon@cisco.com>
+Date: Thu, 14 May 2026 05:40:12 -0700
+Subject: [PATCH] go: Fix CVE-2025-61726.patch variable ordering
+
+The backported CVE-2025-61726 patch introduced a regression in
+src/internal/godebugs/table.go by adding urlmaxqueryparams out of
+alphabetical order.
+
+From Go's source code[1], the All table from godebugs must be populated
+alphabetically by Name, and Lookup[2] uses binary search to find the
+variable.
+
+The wrong ordering caused Lookup to return nil for urlmaxqueryparams,
+which triggered runtime failures.
+
+Fix this by moving urlmaxqueryparams before x509sha1.
+
+This change was validated with docker-moby (original issue), where a
+container ran successfully and no traces were observed in the logs.
+
+[1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20
+[2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100
+
+CVE: CVE-2025-61726
+Upstream-Status: Inappropriate [OE-specific backport ordering fix]
+
+Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
+Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
+---
+ src/internal/godebugs/table.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
+index 4ae0430..7178df6 100644
+--- a/src/internal/godebugs/table.go
++++ b/src/internal/godebugs/table.go
+@@ -51,8 +51,8 @@ var All = []Info{
+ 	{Name: "tlsmaxrsasize", Package: "crypto/tls"},
+ 	{Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
+ 	{Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
+-	{Name: "x509sha1", Package: "crypto/x509"},
+ 	{Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
++	{Name: "x509sha1", Package: "crypto/x509"},
+ 	{Name: "x509usefallbackroots", Package: "crypto/x509"},
+ 	{Name: "x509usepolicies", Package: "crypto/x509"},
+ 	{Name: "zipinsecurepath", Package: "archive/zip"},
+-- 
+2.35.6
diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
index bdd10bc933..ab053ff55c 100644
--- a/meta/recipes-devtools/go/go/CVE-2025-61726.patch
+++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
@@ -1,4 +1,4 @@ 
-From bf06767a9ac737387eee77c7eedd67c65e853ac2 Mon Sep 17 00:00:00 2001
+From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001
 From: Damien Neil <dneil@google.com>
 Date: Mon, 3 Nov 2025 14:28:47 -0800
 Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams
@@ -36,7 +36,6 @@  Reviewed-by: Junyang Shao <shaojunyang@google.com>
 TryBot-Bypass: Michael Pratt <mpratt@google.com>
 (cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a)
 Signed-off-by: Deepak Rathore <deeratho@cisco.com>
-Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
 ---
  doc/godebug.md                 |  7 +++++
  src/internal/godebugs/table.go |  1 +
@@ -46,7 +45,7 @@  Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
  5 files changed, 85 insertions(+)
 
 diff --git a/doc/godebug.md b/doc/godebug.md
-index ae4f057..635597e 100644
+index ae4f0576b4..635597ea42 100644
 --- a/doc/godebug.md
 +++ b/doc/godebug.md
 @@ -126,6 +126,13 @@ for example,
@@ -64,19 +63,19 @@  index ae4f057..635597e 100644
  to concerns around VCS injection attacks. This behavior can be renabled with the
  setting `allowmultiplevcs=1`.
 diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
-index 33dcd81..7178df6 100644
+index 33dcd81fc3..4ae043053c 100644
 --- a/src/internal/godebugs/table.go
 +++ b/src/internal/godebugs/table.go
-@@ -51,6 +51,7 @@ var All = []Info{
-	{Name: "tlsmaxrsasize", Package: "crypto/tls"},
+@@ -52,6 +52,7 @@ var All = []Info{
 	{Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
 	{Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
-+	{Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
 	{Name: "x509sha1", Package: "crypto/x509"},
++	{Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
 	{Name: "x509usefallbackroots", Package: "crypto/x509"},
 	{Name: "x509usepolicies", Package: "crypto/x509"},
+	{Name: "zipinsecurepath", Package: "archive/zip"},
 diff --git a/src/net/url/url.go b/src/net/url/url.go
-index d2ae032..cdca468 100644
+index d2ae03232f..5219e3c130 100644
 --- a/src/net/url/url.go
 +++ b/src/net/url/url.go
 @@ -13,6 +13,7 @@ package url
@@ -119,7 +118,7 @@  index d2ae032..cdca468 100644
 		var key string
 		key, query, _ = strings.Cut(query, "&")
 diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
-index fef236e..b2f8bd9 100644
+index fef236e40a..b2f8bd95fc 100644
 --- a/src/net/url/url_test.go
 +++ b/src/net/url/url_test.go
 @@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) {
@@ -178,7 +177,7 @@  index fef236e..b2f8bd9 100644
 	url *URL
 	out string
 diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
-index 517ec0e..88d6d8c 100644
+index 517ec0e0a4..335f7873b3 100644
 --- a/src/runtime/metrics/doc.go
 +++ b/src/runtime/metrics/doc.go
 @@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered lexicographically.
@@ -194,4 +193,4 @@  index 517ec0e..88d6d8c 100644
 		The number of non-default behaviors executed by the crypto/x509
 		package due to a non-default GODEBUG=x509sha1=... setting.
 --
-2.34.1
+2.35.6